history filter

Restricts the types of activities logged to history files.

Syntax

[no] history <instance> filter <string>

Syntax Description

Keyword
Description

no

(Optional) Removes the history filter.

instance

The history instance to be modified. If the specified instance does not exist, it will be created unless the no keyword was also specified. Must be alphanumeric.

string

The filter string.

Defaults

All history events are logged by default.

Usage Guidelines

Using the history filter command, you can restrict the types of activties that are logged to the history files. The filter syntax is:

<field><op><value>[<cong>…]

Field

The field paramater specifies the field with the history records to test. Valid fields are listed below.

Note that the contextual help for this command may list additional field names that are reserved for diagnostic purposes or for future use.

Field names are case-insensitive.

Field
Description

time

The timestamp on the record. The timestamp format for string comparisons is "YYYY-MM-DDTHH:MM:SS.mmm" (e.g., "2024-06-01T19:23:47.316").

type

The record type; one of "associate", "disassociate", "access", "session", or "comment".

count

For "associate" and "disassociate" records, this is a reference count. For session records with the "fin" flag set, it is the session duration in nanoseconds.

flags

A bit field of flags associated with the record. Valid values for Island include "nonrender" (4), "secure" (16), "blocked" (32), "allowed" (64), and "fin" (128).

mac

The source MAC address of the packet or device associated with the record.

ip

The source IP address of the packet or device associated with the record.

port

The source TCP/UDP port number of the packet or device associated with the record.

destIP

The destination IP address of the packet associated with the record.

destPort

The destination TCP/UDP port number of the packet associated with the record.

sourceName

The name of the interface (e.g., "en0") associated with the device on an "associate" or "disassociate" record.

cat

The numerical value of the website category associated with the record. The cat field is a bit mask, and is therefore usually best tested using the "&" operator.

comment

A text string containing miscellaneous information associate with some records.

country

A two-letter code (e.g., "US") representing the country in which the remote IP address is registered.

Op

The comparison operator.

Operator
Description

=

Matches if the field value is exactly the same as the comparison value. This can be either a string or a numeric comparson depending on the field and the value.

!=

Matches if the field value is not exactly the same as the comparison value. This can be either a string or a numeric comparson depending on the field and the value.

<

Matches if the field value is numerically less than the comparison value.

<=

Matches if the field value is numerically less than or equal to the comparison value.

>

Matches if the field value is numerically greater than the comparison value.

>=

Matches if the field value is numerically greater than or equal to the comparison value.

&

Performs a bitwise test.

Value

The value to compare against. This can be a string, a regular expression, or a numeric value. Strings must be enclosed in quotes if they contain special characters.

Regular expressions are delineated with a slash (e.g., mac=/^B4:AE:2B/). Regular expressions are valid only with the "=" and "!=" operators.

Cong

Joins multiple comparison expressions together.

Operator
Description

| (vertical bar)

Logical "or"

& (ampersand)

Logical "and"

, (comma)

Logical "and"

Examples

history myhist2 filter "type=associate&mac=00:00:5E:00:53:D2"
history blockedlist filter "flags=/blocked/"

Related Commands

Previoushistory emptyNexthistory interval

Last updated